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Digital Testing Device 
Field of the Invention 

The present invention relates to a digital testing device, and more particularly but not 
exclusively to a digital testing device and method for use in the data communications and 
telecommunications fields. 

Background of the Invention 

Modern telecommunications systems are generally constructed of various elements capable 
of data processing and data communication support. The various elements may be interlinked 
in order to establish reliable data flow between the elements and in order to guarantee proper 
harmonic operation as one complete system. In passing through such systems digital data can 
be put through numerous complex processes, each using numerous protocols. For example, in 
digital communications, switching, modulating, encoding, decoding and numerous other 
operations are needed. Each operation involves a different algorithm or protocol or series 
thereof that must be thoroughly tested. The protocols may be standard protocols or they may be 
proprietary protocols unique to the equipment manufacturer. Frequently the manufacturer uses 
an in-house modification of a standard protocol. In general, each different protocol or group of 
similar protocols requires a different test device, and often even minor variations of the 
algorithm may require the use of a different device. A single communication system may 
combine equipment of several manufacturers. It may thus require numerous test devices and be 
very difficult to test. Furthermore, the different test devices generally do not work together and 
thus test of integrated scenarios is generally not possible. 

Manufacturers find the use of proprietary algorithms helpful, however, one of the 
disadvantages of using such an algorithm is that time to market is delayed whilst a suitable test 
device can be designed and perfected. 

In addition, data links occasionally make use of security algorithms such as encryption 
systems, which need to be safeguarded, and some manufacturers may wish to keep their 
proprietary algorithms secret. 



WO 01/28060 PCT/IL00/00639 

Summary Of The Invention 

In accordance with a first aspect of the present invention there is provided a digital testing 
device comprising: at least one data interface, a plurality of predetermined protocols, a protocol 
selector for selecting any combination of said protocols to operate on said digital data, and an 
output for outputting results of applying said digital data to said selected protocols. 

According to a second aspect of the present invention there is provided a digital testing 
device comprising: at least one data interface, a user interface, a protocol constructor operable 
to accept data from said user interface and to construct a protocol in accordance therewith, said 
protocol being able to operate on said digital data, and an output for outputting results of 
applying said digital data to said selected protocols. 

According to a third aspect of the present invention there is provided a digital testing device 
comprising, at least one data interface, a plurality of predetermined protocols, a user interface, a 
protocol constructor operable to accept data from said user interface and to construct an 
additional protocol in accordance therewith, said protocol being able to operate on said digital 
data, a protocol selector for selecting any combination of said protocols to operate on said 
digital data and an output for outputting results of applying said digital data to said selected 
protocols.. 

A fourth aspect of the present invention comprises a digital simulation device which 
comprises the protocols, a protocol constructor, the user interface, a protocol selector and the 
output. Instead data is produced automatically within the device itself and sent via the interface 

Preferably, the digital data is the output of all or part of a communications device. The 
device may be comprised within a computer. The output may comprise a configurable data 
protocol which may be set to find points of interest in the data under test. The input may 
comprise a selectable one of a plurality of device interfaces. The device interfaces are 
preferably designed with specific digital equipment in mind and may be operable to hide 
characteristics of the equipment from the device. Means are provided for enabling the user to 
generate new device interfaces or to configure existing device interfaces. 

Embodiments of the invention are operable with any digital data. 

The protocols referred to above preferably synthesize the data format of various 
communication protocols as used in communications engineering. 

The protocols are preferably descendant objects of a protocol-independent parent object, 
which may alternatively be referred to as a virtual protocol. The protocol-independent parent 
object is preferably operable to support processing of data according to any predefined protocol, 
which may be a descendant object thereof. Ths algorithm-independent parent object may 
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support certain desirable features such as smart filtering, triggering and simulation operations, 
which enhance testing ability. The protocols may be templates for arranging incoming data into 
the data field and packet format of any predetermined protocol or other communication 
algorithm. 

The protocol constructor preferably comprises a bank of predefined protocol substeps 
represented by visual items in the user interface, individually selectable by a user through said 
user interface to build a protocol. 

The specific device interfaces referred to above are preferably represented by visual items in 
the user interface, individually selectable by a user through said user interface. 

Embodiments of the invention may thus provide a multi-interface, multi-protocol analyzer 
and simulator for testing or simulating .complex communication systems involving any standard 
or proprietary protocol. The embodiments are based on a virtual protocol model. 

In an embodiment, automatic association may be made between a given device interface and 
one of said plurality of protocols. In a further embodiment, external test devices may be 
integrated into the system using a suitably designed interface. 

Embodiments of the invention may provide a device that can test an entire 
telecommunication system comprising equipment from numerous manufacturers, using a 
plurality of ports each of which can be programmed to operate on a different protocol, and 
which can be associated logically one with the other. The device may enable a reduction in 
development time and cost. 

Brief Description of the Drawings 
For a better understanding of the invention and to show how the same may be carried into 
effect, reference is now made, purely by way of example, to the accompanying drawings, in 
which: 

Fig. 1 is a simplified diagram of a first embodiment of a device according to the invention, 
Fig. 2 is a generalized block diagram of a device according to a preferred embodiment of the 
present invention, 

Fig. 3 is a generalized layer diagram of an embodiment of the present invention, 
Fig. 4 is a generalized diagram showing in more detail the virtual protocol model core of 
Fig. 3, 

Fig. 5 is a screen view of an exemplary protocol of the kind described in Fig. 4, as seen from 
within the protocol designer, 



3 



WO 01/28060 PCT/IL00/00639 

Fig. 6 shows the first step in the process of designing an object for testing a proprietary 
protocol, 

Fig. 7 is a screen view showing how the user interface 26 permits selection of a prestored 

interface for the interface object, 

Fig. 8 is a screen view of available protocols including that defined in Fig. 6, 

Fig. 9 is a screen view showing a new logical channel configured with a protocol and 

physical interface, 

Fig. 10 is a tree diagram showing a tree object based on the protocol shown in Fig. 6, 
Fig. 1 1 is a screen view showing the monitor output when test data bytes arrive and fit into 
the protocol tree as shown in Fig. 10, and 

Fig. 12 is a screen view showing a capture filter for monitoring the results of the analysis of 

Fig. 11. 



Description of the Preferred Embodiments 
Reference is firstly made to Fig. 1, which is a simplified diagram of a first embodiment of a 
device according to the invention. An interface connector 10 is attachable to a 
telecommunications system unit 12 or other communication device, in such a way that it is able 
to extract data for testing. The interface connector is attached to a portable, or other, computer 
14, which carries out an analysis of the extracted data. The interface connector is simply a 
buffering device allowing data from the exchange unit 12 to reach an input port of the computer 
14. In some embodiments, buffering may not be necessary. 

The use of a general-purpose computer for carrying out the analysis of the extracted data is 
preferred but not essential. As an alternative, it is possible to use a dedicated digital device. 

Reference is now made to Fig. 2, which is a generalized block diagram of a device according 
to a preferred embodiment of the present invention. It is to be bome in mind that the invention 
does not solely encompass the device configured for use but also relates to the features of the 
device that aid easy configuration and also to the method of configuration. 

In Fig. 2, a device interface 20 provides interfacing with the equipment to be tested. The 
interface is preferably selected to be specific to the equipment and is operable to hide hardware 
features of the equipment under test from the device. 

A protocol bank 22 comprises a plurality of predefined protocols Pi...P N , all of which are 
designed to simulate the operation, on a datastream, of a specific item of equipment. The 
relevant protocol or protocols are selected by the user through a protocol selector screen of a 
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user interface (Fig. 8 below). The user interface is preferably a visual interface; wherein 
objects to be selected by the user are generally presented as graphical icons. 

In the event that the desired protocol is not present, the device allows for the easy addition of 
new protocols. This may be done by obtaining a predefined protocol from an external source 
such as the Internet, or it may be done by use of a protocol designer (46 in Fig.3). The protocol 
designer 46 contains a bank of protocol substeps (not shown), which are preferably represented 
by icons in the user interface. The user is able to select from the substeps to build his own 
protocol PNew, as will be explained in greater detail below. The newly formed protocol is then 
available for protocol selection in the same way as the predefined protocols Pi...Pn 

An output unit 32, again configurable through the user interface, filters the output data for 
interpretation by the user. User configurable filters Fi...F M are stored in a filter bank 24 and 
customization thereof will be discussed below with respect to Fig. 12. User configurable 
triggers Ti...T K , for triggering test operations and the like, are stored in a trigger bank 26 and 
are likewise customizable through the user interface. 

As will be discussed below, devices according to the present invention may run simulations 
as well as tests. Thus a bank of prestored and configurable simulations is stored in a simulation 
bank 28. 

A virtual protocol model core 30 is a parent object that encapsulates a generic description of 
a communication protocol. It is preferably able to take on the characteristics of any protocols 
and the like that are applied to it. This is because all of the protocols etc. that have been 
discussed with respect to Fig. 2 are preferably defined as descendant objects thereof, as will be 
discussed in more detail below. An advantage of such a parent descendant arrangement is that 
when a protocol is prepared and or applied by a user, it requires no compilation or 
pre-processing but rather can be used immediately. 

Reference is now made to Fig. 3, which is a generalized layer diagram of an embodiment 
of the present invention. A virtual protocol model core 40, as discussed above, is a parent 
object that encapsulates a generic description of a communication protocol Three types of 
descendant objects of the core 40 are defined as a protocol simulator 42, a protocol analyzer 44 
and a protocol designer 46. The protocol designer allows for the definition of a new protocol 
using the user interface as discussed above. A dedicated language is preferably used in order to 
facilitate the application of the virtual protocol by which the new protocol is to be described. 
The dedicated language preferably permits the creation of any combination of protocol layers 
by applying the object-oriented concept (inheritance & encapsulation). A simple linkage 
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between protocol components can lead to the construction of a wide and complex protocol 
library, where each protocol is built from very simple protocol components. 

The user interface preferably provides a visual protocol designer utility, as mentioned above, 
which allows the construction of protocol components without the user needing to be familiar 
with the modeling language. 

The protocol analyzer 44 allows for analysis of any protocol added to the protocol model 
core, or any set or combination of protocols. The protocol simulator 42 allows for the 
simulation of any protocol, or set or combination thereof added to the model core 40. 

A further parent object is the device interface object 48, which is a generic model of a device 
data interface. A specific interface object appropriate to the system under test 50 and which is a 
descendant of the generic interface object, is preferably selected as described above. The model 
core, as mentioned, is preferably hardware independent. It is preferably data frame oriented, 
which means that any data pattern can be analyzed or generated as long as it is bit oriented. The 
specific interface object 48 permits easy interfacing with external hardware. The generic 
interface object 48 preferably comprises several interface functions that hide hardware 
dependent parameters. 

A plurality of interfaces may be used at the same time so that more than one data channel or 
device may be tested simultaneously. Preferably, the device is configurable so that logical 
connections are provided between different channels. Thus, the data connected over numerous 
different channels can be analyzed as a single logical unit. Likewise, in simulation, several 
devices or data channels may be simulated simultaneously and logical connections may be 
configured between them. 

A series of logical connections may be configured and particular series of data may be tested 
to produce logical scenarios. This may be done as part of testing or as part of a simulation or as 
a combination of the two. 

If testing of communications equipment is being carried out then the interface is used to 
obtain data from the equipment. It can also return data to the equipment, as part of a simulation 
and thus serve as a link in an operational connection. The interface may be a single channel or 
it may be multi-channel, allowing the testing of combined systems or testing of combined 
systems simultaneously. 

If simulation is being carried out then the data interface may be dispensed with, and an 
embodiment built solely for simulation need not comprise a data interface. 

Reference is now made to Fig. 4, which is a generalized diagram showing in more detail the 
virtual protocol model core of Fig. 3. As mentioned above, the virtual protocol model is a 

6 



WO 01/28060 PCT/IL00/00639 
non-specific protocol analyzer. It analyzes collected data according to a predefined protocol, 
that is to say one of the protocols referred to above. The model is based on the OSI's layered 
model and supports among other the following main features: 
Muiti-layer analysis, 

Any field, any data format and any intelligent algorithm concerning data processing, and 
Multi channel analysis/data generation in parallel. 

A tree structure is an optimal structure for presentation of any protocol, algorithm or filter. In 
general, a predefined protocol is maintained as a tree object, that is to say a descendent of the 
generalized tree structure. Figure 4 is a generalized tree structure, designed for an embodiment 
of the present invention, in which the various nodes can be defined with properties of the 
protocol (nodes 60, 62 64 and 66) or they may lead to a whole new layer of nodes, (sub-node 
68). A second layer is shown explicitly but the only limit on the number of layers that may be 
included is the available memory. That is to say the number of layers is practically unlimited. 
The existence of one or more sub-layers, each of which can be constructed with any degree of 
complexity, gives the embodiments of the present invention the degree of flexibility necessary 
to apply testing to a wide variety of devices and protocols. 

Each node in the tree may indicate a field, a group of fields or a sub-protocol layer. A field 
is an abstract term that covers a data pattern, ranging from a single bit to an endless chain of 
bit-data. A branch in the tree represents a branch in the protocol. Such a branch may, for 
example, be represented by the command "separate two messages by a message type field". 
Numerous other functions and properties may be added to the tree to allow flexibility and 
automation of the data process/generation. 

Examples of the kind of properties that may be comprised in nodes within the tree are: 

Automatic check sum data fields, 

Variable length of data field according to dynamic conditions (dependent on other received 
data), 

Data masking and pattern comparison, 
Idle line timeout, and 
Data size trash hold. 

The virtual protocol model core permits the integration of externally provided data processes 
that have been generated by users in the way described above. The internal working of the 
externally provided processes are preferably totally hidden from the model core itself, and this 
is achieved by utilizing an external DLL (Dynamic Link Library). Any node in the virtual 
protocol tree can be assigned to such a DLL. This feature is important, for example if the user 
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wishes to safeguard protocols involving security applications and the like. The data processes 
referred to include both the protocols and the data interfaces. Both may be provided as external 
DLLs with their internal data processing being hidden from the core. 

Reference is now made to Fig. 5, which is a screen view of an exemplary protocol of the 
kind described in Fig. 4, as seen from within the protocol designer 46. Various nodes are 
shown which define the parts of a data packet for the well-known TCP/IP protocol. It features 
internal branching for a higher protocol layer, as well as TCP and UDP protocols which are 
encapsulated as sub-protocol nodes denoted as "TCP packets" and "UDP packets". 

In the aforementioned embodiments there is thus provided a testing device that is 
multi-protocol, multi-channel and multi-interface. 

Reference is now made to Fig. 6, which shows the first step in the process of designing an 
object for testing a proprietary protocol. As in Fig. 5, there is shown a screen view of a 
protocol as seen from within the protocol designer 46. The protocol requires a definition of the 
data fields of a data packet and a series of nodes define open flag, message format connect, 
message format disconnect, data and close flag data fields. The definitions preferably include a 
size and a format for data within the field. 

Reference is now made to Fig. 7, which is a screen view showing how the user interface 26 
permits selection of a prestored interface for the interface object 48, and to Fig. 8 which is a 
screen view of available protocols including that defined in Fig. 6. A 'channel configuration 
manager' window (not shown), appears or is invoked and the user is directed to create a new 
logical channel and then select the required physical interface and assign a protocol. The 
physical interface objects are all presented as icons on the screen and the user simply clicks on 
the desired icon. Then the protocol defined in Fig. 6 is selected from the list shown in Fig. 8, 
which is a selection screen showing all previously defined screens. 

Reference is now made to Fig. 9, which is a screen view showing the new logical channel, 
here labeled simply "my proprietary channel" configured with the protocol and physical 
interface previously selected. The process can be extended to add more channels and protocols, 
and thus to construct a comprehensive configuration for analyzing and simulating multi-channel 
systems to any desired degree of complexity. 

The model is now ready for analysis. The analysis object is preferably activated to execute 
real time data capture and analysis. Data bits from the external device are captured by the 
interface. From the interface they are forwarded to the protocol tree where they filter through, 
starting at the root node and branching to other nodes and protocol layers, as though the data 
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were being fed through a real device according to the protocol rules. The data as received is 
fitted into the data fields as defined in the protocol, ready for further analysis. 

Reference is now made to Fig. 10. which is a tree diagram showing a tree object based on the 
protocol shown in Fig. 6. In this example there is only a single protocol layer and a single 
branch. Now assume the following data bytes are captured: 0x02, 0x03, 0x02, 0x01, 0x01, 0x03 
(Ox - indicates hexadecimal digit). Fig. 10 shows the data bytes fitted into the fields of the 
protocol as discussed with respect to Fig. 9. 

Reference is now made to Fig. 11, which shows the monitor output when the data bytes 
listed as above arrive and fit into the protocol tree as shown in Fig. 10. 

Reference is now made to Fig. 12, which is a screen view showing a capture filter for 
monitoring the results of the analysis of Fig. 11. It will be apparent that for large quantities of 
data, the monitor output as shown in Fig. 1 1 could be difficult to interpret. There is thus 
provided a capture filter which can be set to look out for certain key features of the incoming 
data that it is desired to study. In the screen view the only messages that are studied are those 
wherein the fields "message format: disconnect" and "length of field" contain 0x2 values. All 
else is ignored. 

If, instead of analyzing a particular device it is desired instead to test the operation of a 
particular protocol then the procedure is the same as described above except that the simulation 
object is entered before beginning the test. In the testing object, data is obtained from the 
interface, however, in the simulation object, data is produced, either at random or in a 
predetermined manner. The remainder of the operation is identical. 

In an embodiment, automatic association may be made between a given device interface and 
one of said plurality of protocols. In a further embodiment, external test devices may be 
integrated into the system using a suitably designed interface. 

It is appreciated that various features of the invention which are, for clarity, described in the 
contexts of separate embodiments may also be provided in combination in a single 
embodiment. Conversely, various features of the invention which are, for brevity, described in 
the context of a single embodiment may also be provided separately or in any suitable 
subcombination. 

It will be appreciated by persons skilled in the art that the present invention is not limited to 
what has been particularly shown and described hereinabove. Rather, the scope of the present 
invention includes both combinations and subcombinations of the various features described 
hereinabove as well as variations and modifications thereof which would occur to persons 
skilled in the art upon reading the foregoing description and which are not in the prior art. 
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The source code for the virtual protocol core analyzer is given in the following tables: 
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Claims 

1 . A digital testing device comprising: 

at least one data interface for interfacing to at least one device to be tested, 
a plurality of predetermined protocols, 

a protocol selector for selecting any combination of said protocols to operate on digital data 
obtained via said interface, and 

an output for outputting results of applying said digital data to said selected protocols. 

2. A digital testing device comprising: 
at least one data interface, 

a user interface, 

a protocol constructor operable to accept data from said user interface and to construct a 
protocol in accordance therewith, said protocol being able to operate on digital data obtained 
from said interface, and 

an output for outputting results of applying said digital data to said selected protocols. 

3. A digital testing device comprising: 
at least one data interface, 

a plurality of predetermined protocols, 
a user interface, 

a protocol constructor operable to accept data from said user interface and to construct an 
additional protocol in accordance therewith, said protocol being able to operate on digital data 
obtained via said interface, 

a protocol selector for selecting any combination of said protocols to operate on said digital 

data and 

an output for outputting results of applying said digital data to said selected protocols. 

4. A digital simulation device comprising: 
a plurality of predetermined protocols, 
a user interface, 

a protocol constructor operable to accept data from said user interface and to construct an 
additional protocol in accordance therewith, said protocol being able to operate on digital data 
obtained via said interface, 
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a protocol selector for selecting any combination of said protocols to operate on said digital 

data and 

an output for outputting results of applying said digital data to said selected protocols. 

5. A device according to claim 4, further comprising a script constructor for preparing 
scenarios for simulation. 

6. A device according to either of claims 4 and 5, comprising further inputs to collect data from 
the simulation for testing. 

7. A device according to any preceding claim, wherein said digital data is the output of all or 
part of a communications device. 

8. A device according to any preceding claim, comprised within a computer. 

9. A device according to any preceding claim, wherein said output comprises a configurable 
data filter. 

10. A device according to any of claims 1 to 3 and 7 to 9, wherein said data interface 
comprises a selectable one of a plurality of specific interfaces. 

11. A device according to either of claim 9 and claim 10, wherein said specific interfaces 
are designed for specific digital equipment and are operable to hide characteristics of the 
equipment from the device. 

12. A device according to either of claims 10 and 11, further comprising an interface 
constructor operable through a user interface to construct a specific interface. 

13. A device according to any preceding claim, operable with any digital data. 

14. A device according to any preceding claim, wherein said protocols are operable to 
synthesize the operation of various electronic apparatus. 
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15. A device according to any preceding claim, wherein said protocols are templates for 
fitting said data into a data field structure of a communication protocol. 



16. A device according to any preceding claim wherein said protocols are descendant objects 
of a protocol-independent parent object. 

17. A device according to claim 16, wherein said protocol-independent parent object 
comprises a tree structure. 

18. A device according to either of claim 16 and claim 17, wherein said protocol-independent 
parent object is operable to support processing of data according to any predefined protocol 
which is a descendant object thereof. 

19. A device according to claim 16 or claim 18, wherein said protocol-independent parent 
object is operable to support any one of a group comprising smart filtering, triggering and 
simulation operations. 

20. A device according to any one of claims 3 to 19, wherein said protocol constructor 
comprises a bank of predefined protocol substeps represented by visual items in the user 
interface, individually selectable by a user through said user interface to build a protocol. 

21. A device according to either of claim 9 and claim 10, wherein said device interfaces are 
represented by visual items in the user interface, individually selectable by a user through said 
user interface. 

22. A device according to any of claims 9, 10, and 21, comprising a plurality of additional 
device interfaces, allowing a plurality of devices to be tested simultaneously. 

23. A device according to claim 22, wherein the number of additional device interfaces is 
limited only by constraints of available device memory. 

24. A device according to any preceding claim, further having a storage unit for storing data 
for later analysis. 
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25. A device according to claim 22, wherein logical connections between different ones of 
said plurality of devices to be tested are viewable within said device. 

26. A device according to claim 4, wherein a plurality of different simulations are operable to 
be run simultaneously and wherein said device is configurable to show logical connections 
between said simulations. 

27. A device according to any preceding claims wherein a plurality of channels may have 
logical connections made therebetween and wherein a logical scenario is testable over said 
logical connections. 

28. A device according to any preceding claims wherein a plurality of channels may have 
logical connections made therebetween and wherein a logical scenario is simulatable over said 
logical connections. 

29. A device according to claim 22, wherein automatic association is made between a given 
device interface and one of said plurality of protocols. 

30. A digital testing device substantially as hereinbefore described with reference to the 
accompanying drawings. 
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/ ••••••••••••••••••••••••••••••••••••••« 

* Filename: protocol_malyze.h * 

• Purpose: CoMPA's virtual protocol antysis core ♦ 

* * 

• Author: Coralog. * 

• Version; 1.0 AUG,22,1°V9 • 

* (C) Copyrights Comlog.LTD • 



ftifhdef protocol_enalyzeH 
*defme protocol analyze H 

^include "protocol jJe&.h* 

class TChannelProtocolAnalyzer 
< 

private: 

PTJ>R0T6_TR£E Layer tpProtocoi; // Lowest layer protocol tree 

U 1NT64. TimeOut ; // Time out for frame res y n chr o ni zation (in micro seconds) 

BYTE ♦FrameBuf; // captured data bytes bulTer for frame. 

DWORD MaxFraraeSize; // Maximum size of frame 

UINT64 StartFrameTime; // Mamttan start of frame Umetag while receivetng frame 
DWORD FrameSize; // accumulated frame size. 

DWORD FrameAnalyzedPos; // Total analyzed size from accumulated frame size 
DWORD DecodeFimclndex; // Index m decoded data when using decoding functions. 
BYTE DecodcFuncState; // Last decoding function state. 

PT J>ROTO_NODE Layer 1 pNode; // Last node or NULL for none (for layer 1 Protocol only). 

BOOLEAN Layer I Oroup Recurs; // Flag indicates whether inside a group recursive or not (for layer I Protocol only). 

DWORD Layer 1 Group Mult; // Group multiplies counter (for Lowest Protocol only). 

TOnSaveFrame SaveFrameFunc; // NULL or pointer to "save frame function" 
TOnDisplay DisplayFunc; // NULL or pointer to "Display node function" 
TPassFilterFunc PassFilterFunc; // NULL or pointer to "Filter pass cheek function" 

BYTE LogicaTNumber; // Logical Channel Number 

BYTE NoProtocolBitlTer(DEFAULT_BUF_SIZE1; // Default BufTer for "no protonl" situation 

void _/astcall StartNewFrame ( UINT64 TimeTag ); 

void _Jastcall AddFrame ( WORD ErrorTag, UINT64 TimeTag ); 

void _fastcell AnalyzeLayer ( PT.PROTO TREE pProtocol, BYTE *pData. DWORD DataStee, BYTE Layer ); 
WORD _Jastcail AnalyzeNode ( PT_PROfO^NODE pNode, BYTE •pData, DWORD •pDaialndex, DWORD Data Size. 
BYTE CurrLayer ); 

WORD _faatcaJI AnalyzeGroup < PT_PROTQ NODE pNode, BYTE *pData, DWORD •pDatalndex, DWORD DstaSize, 
BYTE CurrLayer ); 

PT.PROTO^.NODE^fastcailMatchFieldCPT PROTO NODE pNode, DWORD Multiples ); 

— fastcaJl MatchBits ( PT_PROTO_FIELD~pField. PT BITS pBits, PT_SYNC VALUE pSyncVal ); 
WORD _fastcall DecodeField ( PTPROTO NODE pNode, BYTE *pData, DWORD •pDatalndex, DWORD DataSize, 
DWORD "pMulbples ); " 

bool _fasteall MalchMultField ( PT J>ROTO FIELD pFteld, DWORD Multiples. PT SYNC VALUE pSyncVal ); 
bool^fastcallMatchSingJeFieldCPT.PROTd HELD p Field, PT SYNC VALUE pSync Val, BYTE *pOutData ); 
b<>ol_fa3tcallDecc4eAndCc«veftMultField(PT PROTO FIELD pFieldTDWORD Multiples. BYTE •plnData ); 
loid _fastcall DecodeAndConvertSmgleField( PT_PROT5 FIELD pField, BYTE •plnData, BYTE •pOutData ); 
void _fastcaJl CheckNod^ondirjons ( PT PROTO NODE jiNode, DWORD Multiples ); 
vo!d_fastcaJICheckProtocoiConditxons(PT PROTO TREE pPraitocol ); 
DWORD _fastcall NodeVtlueAsDWORD ( ft J>ROfONODE pNode ); 

public: 
// constructor 

TChannelProtocol Analyzer ( void ); 

// Called upon initializing channel and binding H with a protocol 
void _fastcall Assign ( PT_PROTO_TREB J-aywIpProtocol, 
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• Filename: protocol analyze.cpp * 

• Purpose: CoMPA^ virtual protocol antysis core ♦ 

• Author: Comiog. * 

• Version: 1.0 AWftl^ . ,J ^ |MMMM 

• (C) Copyrights CornJog.LTD^^^ IMM # MMMMtMMM «/ 

H : 

^include " protocol an a lyre -h" 

extern DWORD _1 otal Frames Received; 

/•••••••• * / 

/«•«•* PUBLIC •«•••/ 
• •—•••/ 

• NAME: TOiannelProlocolAiiaJyxeT-TaiannelProtowlAnalytcr 

* DESCRIPTION: Constnictor. 
* 

• RETURN VALUE: None. 

♦ NOTES: None. 



TChannelProtocotAnaJyzer. :TCharmelProiocol Analyze^ void ) 

i 

Layer IpProtocol - NULL; 

SaveFrameFunc - NULL; 

Display Func « NULL; 

PassFUterFunc - NULL; 

TimeOut - 0; // No timeout I 

FrameBuf - NoProtocolBuffer; 

MaxFrameSUe - sizeofl^o Protocol Buffer); 

StaxtFrameTime - 0; 

FrameSize - 0; 

FrameAnalywdPos ~ 0; 

DecodeFuncIndex « 0; 

UecodeFuncState • DEC JSTATK_BEGI N; 

Layer I Gtoup Recurs -FALSE; 

Layer lGroirpMult -0; 

LayerlpNode -NULL; 

LogicalNumber - 0; 

) 



• NAME: TCh annc I PrcTtoco IA oily rer: Assign 
• 

• DESCRIPTION: Assign a protocol Tor using in thhchaimet 

• Also assign the interface' functions for filtering 

• and display. 

• RETURN VALUE: None. 
• 

• NOTES: If DtsplayFunc is NULL (No Display fcmrionaiity tt all) 

• If MatchFunc is NULL (No firters/triggers functtooality 

• at all) 
« 

• ••••••*•••••••••••••••••••••••♦•••••••••••••••••••••••••/ 

void __fastcall TChannelProtocolAnalyrer:: Assign ( PT.PROTO.1TREB ^UyerlpProtocol, 
TOnSavcFrame JJaveFrtmeFunc, 
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TOnDisplay _DisplayFunc, 
TtasFilterFuhcT PassFilterFunc, 
BYTE _LogtcalNumbcr ) 

Layer tpProtoco! - _LayCf IpProtocol; 

SaveFrsmeFune « _SaveFrameFtme; 

DisplayFunc « ^DisplayFunc; 

PassFilterFunc - ~PassFilierFurjc; 

LogicalNumber -^Logical Number, 

il ( UyerlpProtocol !- NULL ) 
I 

TimeOut ■» Layer! pProtocol->TimeOut; 
FramcBuf - Layer! pProtocol->FrameBuf; 
MaxFrameStze - Layer! pProtocol->MaxJr"rajneSite; 

) 

else 
< 

TimeOut - 0; 

FramcBuf . - NoProtocolBuJTer; 

MaxFrameSize - sIzeoflNoProtocoIBufTer); 

I 



• NAME: IChanjielProtocolAaalyterrPreptre 

• DESCRIPTION: Prepares channel for capture - reset it! tttlit parameters. 

• RETURN VALUE: None. 
♦ 

• NOTES. None. 
# 

••••• .*....♦*♦♦•♦*♦♦•..♦♦..*/ 

void _fastcaJI TChannelProtocol Ana ryrer:: Prepare ( UTNT64 TrmeTag ) 
I 

SlHrtNcwFrame ( TimeTag ); 

) 



* 

9 NAME: TChuinell^c^(AnaJyzer.:0nFinish 
t 

• DESCRIPTION: Called upon capture finish. Saves remain frame's bytes, 
t 

• RETURN VALUE: None. 
* 

• NOTES. None. 
• 

••••• ♦ •••••♦/ 

void tiatcaJI TCbarmelProtocot Analyzer: :OnFtmsh ( void ) 

r 

il ( FrameSize > 0 ) 
( 

// Just add remain bytes as garbage (FRAME,ERR_NOT ^FINISHED): 
FrameAnalyzedPos • FrameSize; 

AddFrame( FRAME ERR_NOT FINISHED, Stmtf rameTime ); 

) 

I 



* 

• NAME: TCrumnelPrtrtocolAnaJyzer::OnFacket 
» 

• DESCRIPTION: Proccess captured packet of bytes. This routine is the 

• analysts entry point. 
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♦Packet - Captured "chunk of bytes' 4 (non synchronised). 
PacketSite - Length of packet 

TimeTag - mterface/Driver Capture Mbit micro resolution 
Time Tag. 

RETURN VALUE: None. 

1 

NOTES: Celled by Driver/Interface DLL high priority Thread. 

• Buffering Concept 

* 

• There are three buffering stages in data analysis: 

• 1 . Actual Bytes/Packet received - these bytes must be 

handled -as quickUy as possible and returned back to 

• driver for reuse. 

2. Frame buffer - Accumulating data storage for completing 

• lynchronired data frame. 

• 3. Decoded Data - Decoded data bytes after process. These are 
» maintained per each node( field) in the protocol Tree. 

• 

void fastcall TChaimelProtocol Analyzerr.OnPacket ( BYTE ♦Packet, 
~~ DWORD PacketSize, 

WORD PacketErr, 
UINT64 TimeTag) 

DWORD Packetlndcx - 0; // Position in packet 

WORD LastErr; // Last error returned from analysts function 

bool AnotberLoop - FALSE; // Set to TRUE if need extra anrysis loop 

/ / 

r check for timeout ( Check only if frame has alredy started ): ♦/ 

/ • •/ 

/* If TimeOut >« 0 whole frame must be completed in an Interval that is •/ 

/* less men TimeOut 1 */ 

/• If TimeOut • 0: whole frame must be received in single packet •/ 

if(FraraeSize) 

* // Notice: If TimeOut - 0 then even two successive packets with the 
// same time tag (Delta time - 0 ) are considered timeout 
if ( TimeTag >- ( StartFrameTime + TimeOut ) ) 

1 AddFramc< FRAME_ERRTIME_OUT, TimeTag ); // Error - Add ail accumulated bytes (not including currently received) 
with timeout tag 

// else: Ok, valid state ( in the middle of a frame ). 

) 

else 

StarfNewFrame ( TimeTag ); 

// Keep going till whole packet' bytes proccessed: 
while ( ( Packetlndex < PacketSize ) II ( AnotberLoop ) ) 
I 

Another Loop ■ FALSE; 

/••••• * •••••••/ 

/* Enough space left in frame buffer 7 V 
(•••••••••• •••••••♦•••♦♦•••••••••••••/ 

if ( (MaxFrsroeSize - FrameSiie) >- (PacketSize - Packettndex) ) 

* // Add remained packet bytes to frame: 
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mcmcptf AFremeBuflFrarneSize|. &Pedcet|Pac*eUitdex|, (PacketSize - Packctlndcx) ); 
FrameSize +- (PacketSize - Picketlnttex); 
Packctlndcx - PacketSize; 

} 

else 

' //Add meximtmi amoimt of bytes to fill frame* buffer: 
^cp^FrameBunFramelite], &1»ackct(Packetl«lexl (MaxFrameSize . FrameSize) >; 
Packetlndex *- (MaxFrameSize - FrameSize); 
FrameSize - MaxFrameSize; 

) 

if ( PacketErr ) // Packet Error VI 

1 FraraeAnaJyzedPos- FrameSize;// Act as ir analyzed... 
AddFrame{ PacketErr, TimeTag ); // Add frame and prepare for next 

} 

else 

FrameSize, F1RST.LAYER ); 
else 

' FrameAnalyzedPos - FrameSize; // Act as if analyzed... 
LastErr - 0; // No Error I 

) 



switch ( LastErr ) 

* / „ ♦.♦«♦.*♦♦♦•••*••••♦••••♦♦*•♦•••••♦•••••«••/ 

/♦ Ok message complete and Fr,w ^^y^^7^^Sw*«*«/*« •♦•••••••/ 



•0: if (TimeOut — 0)tfNo timeout 
FrameAnalyzcdPos - FrameSize; 
AddFrame< 0. TimeTag ); // Add frame and prepare for next 



/* 1 .SUA more nodes to analyze • required more bytes. */ 
/• 2. Search pattern not found required more bytes. */ 
/• 3.1n the middle of decoding function. •/ 

caseANLZ ERR NODES BUrj40T_ENOUGH_DATA: 
case ANUf ERR~NOT ENOUGH_DATAjniX_END: 
case ANLZ"ERR>ATTERN NOT JOUND: 
case ANLZERR DFUNC NOT FINISHED: 

if ( FrameSize < MaxFrameSize ) // Fragmented message, wart for more data... 

I 

if ( TimeOut — 0 )// No timeout 
\ 

FraraeAnalyzedPoa » FrameSize; 

AddFrame( 0 , TimeTag ); // Add frame and prepare for next 
break; 

// Else, FrameSize - MaxFrameSize but still not enough data: 

AddFrame( FRAM E_ERR_TOOJMO, TimeTag ); ft Add frame and prepare for next 

| i 

weak, 

/ 

/• Message complete, (yet still more bytes m frame bulTer) V 
/♦♦♦•♦♦.•.*♦.♦♦•♦•♦.♦♦•♦♦♦.♦♦•♦•••♦♦♦•♦•••••••••♦••♦•♦♦•♦••*•♦♦♦♦•*/ 

ease ANLZ ERR_DATA BUT WO MOREJJODES: 

if ( f imeOut = 0)//No timeout so also add remain bytes 

FrameAnalyzedPos - FrameSize; 
AddFrame( 0, TimeTag ); // Add frame and prepare for next 
if ( FrameAnalyzedPos < FrameSize ) // If fragmented message, wait for more data... 
ArwthcrLoop - TRUE; // repeat mother loop * still bytes in frame buffer 
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, .....««...«........../ 

/• | Matching found could not be found"! V 

/• 2 CouW not complete analysis since decoding buf was loo small .•/ 

/« 3.Decodtng function returned t ^J^^J^^^^^}'^li M9MW 0^f 

case ANLZ ERR_NO_MATCH_FOUND: 

case ANLZ~ERR~DECODE_BUFJTOO_SMALL; 

case ANLZ~ERRlDFUNC_OUT_OF_SYNC: 

1 if ( fimeOut — 0 ) // No timeout so also add remain bytes (Let rc-anlysis detect errors) 

Frame AnalyzedPos «- FrameSize; 

AddFrame( 0, TimeTag ); // Add frame and prepare for next 

I 

else 

AddFramet FRAMEERR OUT_OF SYNC, TimeTag ); // Add frame and prepare for next 
if < FramcAnalyzedPos < FrameSize ) //Tf fragmented message, wait for more data.,. 

AnotherLoop - TRUE; // repeat another loop - still bytes in frame buffer 
break;* 

j •»•••••/ 

/♦ Invalid Frame Cbeck Sequec* Returned fl ^ de ^^JfJJSlJi«»«»»«««**»»/ 

case ANLZ ERR DFUNC fNVALIDFCS: 

if ( fimeOut — 0 )// No tfmeout so also add remain bytes 

FramcAnalyzedPos - FrameSize; 
AddFrame( FRAME_ERR INVALID FCS, TimeTag ); // Add frame and prepare Tor next 
if ( FramcAnalyzedPos < FrameSize ) // If fragmented message, watt for more data... 

AnotherLoop - TRUE; // repeat another loop * still bytes in frame buJTer 
break; 



o>fcuh?^c^rame( FKAMB_ERR_UNEXPECTED, TimeTag ); // Add frame and prepare for next 



I 



I 



• NAME: T Channel ProtocolAnaiyzer. : Re AnalyzcFrame 

• DESCRIPTION: Proccess an already captured frame for monitoring 



• Frame - Frame bytes buffer. 

• FrameSize - Frame buffer site. 

_Disp!eyFunc - Call back for node/group display function. 

» 

• RETURN VALUE: None. 
* 

• NOTES: Called by monitor for analyzing non-error frames. 



void _rastcall TthannelrVotocolAiMlyzer::ReAnalyzeFraiiie ( BYTE *pFrsme, 

DWORD FrameSize, 
TOnDwplay DisplayFune, 
TPtssFilterFunc .PassFOterFuoe ) 

StartMewFrame { 0 ); // Reset all channel's static variabels 

DisplayFune a _Di9playFunc; 
PassFilterFunc ° ^PassFilterFunc; 

if( LayerlpProtocol !« NULL) 

// Returned with error ? 
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ANUJRJl.DMAlBUT.NO.MORE.NODfcS ) 
- J5TOtr»iT NO MORE NODES); 



I 



• NAME: TChannelProtocolAnalyrerxSurtNewFrtme 

' DESCRIPTION: Rea* ell _re**eo Pf^'^r* 8 ° f 
oev frame ( applied on layer! ptotoeol only). 

• RETURN VALUE: None. 

• NOTES: None. ,.«••••••♦••/ 

S^eTi-nc -Ti-Tag; "^(St^^fr^) 
S3JK5S2T -'o° : //SffiW"* 
tayerlOroupMuK -0; No mutoplea ot group 

L^I^xrCONDfriONSmESJER.NOOE;^) 
NumOfconditionstil - 0;*/ 

if ( UyerlpProtocol !=* NULL ) . 
UyerlpNode - UyerlpProtocol->pRootNode; 

I -., MOM . M • 

• NAME. AddFrame 

• DESCRIPTION : Add frame wnttwithout eiTOT Ug. 

• EnorTag . Frame Error Value or 0 for no error. 

• TtmeTag • New Time tag for next frame. 
• 

• RETURN VALUE: None. 

• NOTES: None. 

' DWORD Tmp; 
if ( EirorTag ) 

' if((EmffTag-FRAME.ERRJOO_B10 )J 

l Zi.r niAME_m jime.out) n 

( tUorTeg - FRAME:eRR_UNEXPECTED ) ) 
( FrameAnalytedPoa - FnmeSiie; // Art as if bytes whw enalyttd I 
) 
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1 .1 ~~ive emote* (for monitoring purpose) 

if , S .veF,am«Func I- NULL > /> Add to memory/We... 

vfrSSKi i- null , „ mm 

if ( F,ameAnaly«dPos < Ft ameSiae > 

1 Tmp . P r .meSi*e - F^^^e'opy oven appiog «- 

t . — / T'tm«TiO 1'. 



mcrruoove { ^T.mcouu^^ 
StartNcwFrBinc ( Time lag j, 
FrameSiw - Tmp; 

StartNewFrame ( TimeTag ); 



/ 

• NAME: Ana.y«Layer 

I DESCRIPTION: An^cf^-pn^lUyet (higher^*-*" 

• previous) 

S5fa»- Decoded data sire P«^*T ^ pr °^ ^ 
Uyer- Previous ptotocol layer Humber. 



This routine .nay be edled «eu*v.y ftom Ai^y-Node. 



• RETURN VALUE: None. 

* NOTES' This routine may oe eaiieo ™« 
. H It must not be used on first layer 

Wotice that pmbw (W '^^f^*"^ ^ 
. « this layer, henee thif function return, nothmg. 

*. V'r^Vn VrOT^'t^Tp^.BYTE -pD-^ORDDauSixe. 

; oid _f.,tc.nTCh.nne.^o1An..y OT .:A..«y«L^er(PT_PROTO. 

BYTE Layer) 

1 DWO RD Dauunde* - * " Starting ne* layer - ao point to position 
tayer-M-; // Increase layer number, 
if i pProtoco!->pRootNode — NULL ) 



ft Check fitter/tng^eondmof^ 

CheckProtiKolConAtiora ( pProtocol ), 

/••Recursive analysis In protocol we... I 
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ANLZ ^ERR.OATA.BUT NO.MORB.KODES ) 
anlz.ew7daTa.but_no.more NODES ); 



f* This layer ' s complete: ^ 
'* r:T~*: TT« r~ .«.lv*is of mof e nodes on previous layer: •/ 



/• Mtkesure all clear for analysis of more nodes on prc™*» ;«7- • 

— u 

^eFuncState « DEC.ST ATE.BEOW; 
DccodeFunclndex - 0; 

) 



• NAME: TChanndProtocolAniiryzer-.Analy/eNode 

* DESCRIPTION. Analysis and match for • specific node. 

pNodc- r^interofnextr^etoteanalytcA 
nUata - Received dflUT bytes buffer. 

• RETURN VALUE'. 0 or analysis' error number. 

• NOTES: This routine is ealledreeuraivty. 



**** , . | , Node ( n PROTO NODE pNode. BYTE .pt>». DWORD •pDs.-lndo, 
WORD _tocdl TCbsnnelProtoeoLMalyrer.ArriyzeNode ( PT.PROTU. 
DWORD DstaSize, BYTE CurrLayer ) 

' WORD LrstEir, ^J^^SE!?"**** 



, i 

/♦ Cheek; Is called ^JJJJ.^J *.'.••••• v 

if i pNode - NULL ) II If called torn • leaf : 

1 if (.pDttaWex<DalaSi2e)//SliUbyte»toiaily»r. 

1 return ( ANLZ_ERR.DAT A.BUT.NO.MORE.NODES ); 

// Else: ( *pData,ndex — DataStte ) 
return 1 0 ); // 0k, no more nodes to analyze. 



V 



/• Check: Is this node a J #OM *i # «* •♦♦»♦♦♦♦/ 

!r(pNodc>pFie1d l-NUU) 
I 
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PT_PROTO_FIELD pFidd; 
pFidd - pNodopField; 



/• Decoding data and checking for error. V 

/ * •••••••••••••••••••/ 

PrevDatalndex - *pDatalndex; 

UstErr « DecodeField ( pNode, pData, pDatalndex, DataSize, AMultiples ); 
if(LastErr) 

{ ft If data is not fragmented allow situation where still node to analyze but 

if U O^tEr?^ ANLZ !HUlJNODES_BUT_NOTJENOUGH_DATA ) AA 
I •pDalalndcx — DataSize ) ) AA 
( ( CurrLayer \ m FIRST.LAYER ) \\ ( TimeOut - 0 ) ) ) 
f eturn ( 0 ); // Ok, pherheps not all nodes anlayzed, yet, no more data ! 

//Call Display with error... 

^ { S^^^{C^ili 9 pNode. ftpDatalPrevDaUlndexl, DataSize - PrevDatalndex, 0, UstErr ); 
return ( LastErr ); 

) 



/ 

/♦ Try to match one of the sibling nodes */ 

/•••••••••••«••••• 

pNode - MatchField ( pNode, Multiples ); 



••••••/ 

Multiples ); 
if ( pNode — NULL ) // If no match: 

{ if ( ( CurrLayer — FIRSTLAYER ) AA ( TimeOut I* 0 ) ) // MainUin Noda pointer (requires if data is fragmented) 
Layer lpNode - NULL; 

// Call Display with error - no match ! 

if( DisplayFunc!* NULL) m m ^ f . _ 

DisplayFunc ( CurrLayer, pNode, ApData(PrevDatalndex], DataSize - PrevDatalndex, 0, 
ANLZ jERR_NO_MATCH_FOUND ); 

return (ANLZ ERR NO MATCHJOUND ); 

) 

// Ok match: check trigger/filter... 
if(pNc^e->pFirstHookedCoodition l-NULL) 
CheckNodeConditions ( pNode, Multiples ); 

//Ok, Call Display... 
if ( DisplayFunc !• NULL ) 
DisplayFunc ( CurrLayer, pNode, &pData(PravDstatndcx|, ♦pDatatndcx - PrevDatalndox, Multiples, 0 ); 



/•••• •••••••*♦♦•«•• 

/* Process higher protocol layer if such: V 
/••••••• - 

if ( ( pNode.>pHjgberProto I- NULL ) AA ( Multiples > 0 ) ) 
AnaryzeLayer ( pNode->pHigberProto , pFie!cV>DecodedBuf, MuJtiples # (pField.>Type), CurrLayer ); 

/ • •••••••••••stotss/ 

/• Recursive call to child node (iT such): ♦/ 

/ .•••••••••.•.••••••••••/ 

if ( ( pNode->©Cbild — NULL ) AA ( 0N«le->pOwiierOroupNode I- NULL ) ) // Last was a leaf of a group: 

// Check if first protocol layer and currently inside a recursive initiated from the group: 
if ( ( CurrLayer — FIRST LAYER ) AA ( TimeOut I- 0 ) ) 
, ( 

LayerlGroupMult++; 

if ( Layer I Group Recurs ) // Called recursivry from i group: 
( 
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Layer lp Mode - pNode^pO^erGroupNode; // M^i" Node poinfcr (re^« if*- - <Wed) 
return (0);// Ok. 



else 
1 

S( o ); // Ok, Not the fust layer (so defenetlry called recursively from a group) 

} 

return (^Awtfj^Node (^Node->|0^<S^'E^^P^*^*^ B ^*** DaltSize, CurrLayer 

) r ' 

/• Check. Is this node a Group 7 

••••••••••••••••••• 

else 

//Else (Tor debug check): 

DEBUG ERR ( " Neither Field Nor Group ! ); 

return ( ANLZ_ERR_UNEXPECTED ); 

) 

• NAME: TCbmnelProtocolAnalyter::AnalyzeOroup 

• DESCRIPTION: Analysis of a group on Cist layer only. 
* 

• pNode - pointer of next node to be analyzed. 

• pData- Received datt* bytes buffer. 

• ' pDstalndcx - In: current Index in Received data' bytes buffer 

• Out- after analysts index in Received data byte* butter. 
DataSiie - Received data' bytes buffer size 

CurrLayer - Current Protocol layer number l..MAX_NUM_OF_LAYERS 

• RETURN VALUE: 0 or analysis' error number. 

• NOTES: This may be called recursivly ( but not if OmLayer - I ) 

This function should be invoked only if node is a group ! 



WOl^fsstcailTth^ •pData,' DWORD •pDaUlndcx, 

DWORD DataSize, BYTE CurrLayer ) 

{ PT_PROTO GROUP pGroup; 
WORDLastErr-0; 

DWORD Multiples; // Multiples of group 

if ( ( CurrLayer « FIRSTLAYER ) && ( TimeOut !- 0 ) ) // Need to maintain some variables (solve receive fragmentation) 

* LayerlpNode-pNode; // Mark last node tor frame fragmcrttation 
if ( pN«Ie->pCKifnerOroupNode I- NULL ) U (Debug checks) 

* DEBUG ERR ( "Group Inside Group if not allowed in first layer when timeout is not 0 !"); 
return (A"*NL2 ERRJJN EXPECTED); 

» ) 

p Group - pNode->pGroup; 

/ 

r Determine multiples of Group : V 
/•••••••••••••• •••••••••••••*•/ 

switch( pOroup->Mult ) 
( 
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cue MF_NO_MULT: Multiples - 1 ; 
break; 

ease MF_SPECIF1ED: Multiples - pOroup->MuhPar«nicier, . 

ewe mp jioS* ' Multiple* - NcdeValueAaDWORD ( pOrc^pMultNode ) + pGn^MullParBmctcr, 

caaeMF TILTED DEBUG ERR ( "Repeat till end in first layer and timeout it not 0 - not supported \*)\ 

~ return (ANLZ EKRJJNEXPECTED ); 
default DEBUG ERR ( "Unknown Group' Mutt !"); 

return ( ANLZ_ERR_UN EXPECTED ); 

) 



/• Notice. In first protocol layer reception Is fragmented, hecne I 
/* this function may return without fiiushuig group mal J*jj;„ # ; #< 



if ( LayerlGroupMult — 0 ) 

* // Match by default (since entered group): 
//Call trigger/filter... 

if ( pNode->pFirstHookcdCondition !- NULL) 
CheckNodeCortditions ( pNode, Multiples ); 

) 

Layer I Group Recurs » TRUE; // Steping into a group recursive 



f keep Analysis white I. Need more multiplies of group. •/ 
/• 2. No error. •/ 
/• 3. Still more data to analyze. */ 
,•••••••••«••••*••••»•*•••« 

while ( ( LayerlGroupMult < Multiples ) && 
( LastErT — 0 ) && 

( *pDataindex < DataSiee ) ) _ . v 

LastErr - AnaryeeNcde ( pGtoup->pRootNodfi, pData, pDaUlndex, DataSite. CurrUyer ); 

LayerlGroupRecurs - FALSE; // Out ofa layerl group recursive 

if ( LayerlGroupMult «* Multiples ) 

' LayerlGroupMult -0; // reset (since finished group multiples) 

V Go to child... 

return ( AnalyzeNode ( pNode^pChild, pData, pDatalndex, DataSize, CurrLayer ) ); 

I 

return ( LastErr ); 

) 

else // Not the first layer or 0 timeout: 
{ 

int i - 0; 

t p Group - pNode'>pGroup; 

// Match by default (since entered group): 
// Call trigger/filter.. 

if ( pNode^pFtrstHookedCondition I- NULL ) 
ChexkNodeConditiow ( rjNode, Multiples ); 

/••••• 

/* Determine multiples of Group : */ 
/•••••• •••••••••••••••••••••/ 

switeh( pGroup->Mull ) 
i 

esse MF_NO_MULT: Multiples - I; 
break; 

case MF_SPECIF!ED: Multiples - pOroup^MultParameter; 
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group 



> 



MF.NO^'' Muhipte - NodeVtloeAiDWORD ( p&wMoUNode ) ♦ pOtou^MultPamneur. 
break; 

case MF_TILL_END: 
i - DataSiie - ( •pDalalodex ) + pOrog^MuiiParameler^Nagfitive value*/; 
whUe ( i > 0 ) // Loop till reach end - delta 

{ LastErr - Analy reNode ( pGro«p.>pRootNode. pData, pDatalndex. DauSize, CurrLayer ); 
if (LastErr) 

1 if ( LastErr !» AN LZ_ERR.DAT A Jil*_NO_MORE_NODES )// This is not an error - since need to repeal 
return ( Last Err ); 

! - DirtaSize - ( •pDatalndex) + pGroup^MultParanieter/^Nagative valueV; 

) 

if (.i < 0 ) // Too many bytes analyzed I 

* // nummn Call Display with error - no more data but stilt left multiples I put as hex... 
return (ANLZ ERR NODES BUT NOT_ENOUGH_DATA ); 

) 

//Go lo child... _ mt _ _ 

return ( AnalyteNode ( P Node->pChild, pData, pDatalndex, DataSize, CurrLayer ) ); 

derault : DEBUG_ERR ( "Unknown Group' Mult V ); 
return ( ANLZ ERR^UN EXPECTED ); 

) 

/ * ••••••••••♦/ 

/* Handles: MF NO MULT, MF SPECIFIED, MF NODE : •/ 
/ • .-..••♦..••••......«../ 

wliile U i < (mt)MuUiples ) 

( •pDatalndex < DataSize ) ) 

{ LastErr = AnaJyzeNode ( pGroup->p Root Node, pData, pDatalndex, DataSize, CurrLayer ); 
if(LastErr) 

return ( LastErr ); 
else 

i-H-, 

) 

if ( i < (int)Multiples ) // Not enough bytes 1 
< 

> // ftnmmn Call Display with error - no more data but still left multiples I put as hex... 
return (ANLZ ERR NODB$_BUT NOT ENOUGH DATA); 

) 

//Go to child... 

return ( AnalyzeNode ( pNode->pChiId, pData, pDatalndex, DataSize, CurrLayer ) ); 

) 



• NAME: TChannelProtocolAnalyzerrMatehField 
♦ 

• DESCRIPTION: Trys to match field's decoded data in one of the sibling 

nodes (inc hiding this node), 

♦ 

* pNode - pointer to first node (in sibling list). 

* Multiples - Multiples of decoded field. 



IB 
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/• For each multiples type: */ 

/• V 

/• I .Check if enough data to complete field if not •/ 
/• return error. V 
/• 2. Decode/convert recived data. */ 
/• 3. mora merit Datalndex to next field V 
/••••••••••♦••••• ••••••••••••••••••••• 



7 



case MF_NO_MULT: if ( pNode->pBits HNULL ) // Bits partiUoning ? 



/* Check for bits partition ( allowed ♦/ 
/• only if MF_NO_MULT ) ♦ 



/* PcHrom decoding only if: */ 
/* First node in bits partitioning •/ 



♦/ 
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•pMutttples - I; 

if ( pNode->0Bit3->pFim — NULL )// Is first ? 
I 

if ( (DWORD)DataSize - Datalndex >- (DWORDjType ) // enough bytes ? 
I 

Decode AndConvertSingIeField( pField, &pOata[DatalndexJ, pFie!d->Decode<lBuf ); 
(•pDatalndex) 4- Type; 

) 

else 

return ( ANLZ.ERR NODES BUT NOT ENOUGH DATA ); 

I 

// Ok I decode ok, or not the first bits partition. 

else // No bits partitioning: 
\ 

if ( (DWORDXDaUSize - Datalndex) >- (DWORD)Type ) 

if ( ( pNode->pBits — NULL ) R 

I ( pNode->pBit* I- NULL ) A& ( pNode->pBits->|JFirst — NULL ) ) ) 

Decode AndConvertSingleField( p Field, &pData[Data Index], pFie!d->DecodedBuf ); 
(•pDatalndex) +- Type; 
♦pMultiples- I; 

) 



else 

return ( ANLZJERR_NODES BUT NOT ENOUGH DATA); 
I - - - 

break; //Ok 

case MF_$PEC1F!ED: •pMiilliples - pField->MultParameteT; 

if ( DataSize - Datalndex >- ((•pMultiples)»Type) ) 

if ( IDecodeAndConvertMuItField ( pField, ♦pMoltiples, ApData(DataJndex) ) ) 
^ return ( A N LZ J:RR_DECO DE_BUF_TOO J5MALL ); 
(•pDatalndex) 4- ((•pMulUples)*Typc); 
else 

return ( ANLZ_ERR_NODES_BUT_NOT_ENOUGH_DATA ); 
break; "* 

case MF_NODE: 'pMuitiples - Node VelueAsD WORD ( pField->pMullNodfc ) + pField->| 
if ( DataSize - Datalndex >- ((♦pMultiples)*Type) ) 

if ( !DecodeAndConvertMultField ( pFietd, ♦pMultiples, &pData[Dat*Jndex] ) ) 




LNODB • but decode buf too small ! "); 
MTOJMALL); 
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) 

(♦pDatalndex) 4- ( p Fie!d->Type) • (♦pMulupM; 

) 

else 

return ( ANLZ_ERR_NODES_BUTJNOT_ENOUOHJDATA ); 
break; 

/ • ' 

/"The following types applied only for TF_BYTE Type only •/ 

/•••• * •••••••••••••••••• / 

case MF.TILL.END: if ( (intXDataSize - Datalndex) < HpFteld^MuUParameter/'Nagabve value*/) ) // Not enough bytes I ( 
MultParameter n -delta from end ) 

•©Multiples -0; 

return ( ANLZ ERR NOT ENOUGHDATAJUL.END ); 

> 

. *pMultiples - DataSize . ( Datalndex ) ♦ pFieW->MultParamcter/*Nagstive value*/; 
if ( IDecodeAndConvertMultField ( pFteld, ♦pMultrples, ApDatalData Index) ) ) 

* return ( ANLZ ERR DECODE BUF_TOO_SMALL ); 
> 

(•pDatalndex) - DataSize + pField->MultPartmeter, 
break; 



case MF FIND: /•••••••••••#•••••••••••••••••••••••••■••■••■••« 

/• pDatalndex will be updated only if pattern was found. V 
/♦ For fragmented data, search will be made again and again*/ 
/* till pattern found or error (timeout or frame to big) V 

•pMulliples - 0; 

white ( Datalndex < DataSize ) 

, ( DecodeAndConvertSingleField 1 pField, ftpData I Datalndex] , ApField.>DecededBufI*pMultiples| ); 

Datalndex++; 

if ( pFietd.>CtecodedBull*pMultiple3) — (BYTE)pField.>MultParameter ) 
[ 

(•pMultyles)**; 

•pDatalndex » Datalndex; 

return ( 0 ); // Ok, decoding success. 

(*pMultiples>++; 

J 

return ( ANUS_KRR_PA'nKRN_NOT>WND ); 

case MF_DbTODK: /•••••••••••••••••••••••••••••♦•••••••••••••••••••••••••••*••••••••••• « 

/* External decoding function involved: Decode and increament pDatalndex. •/ 
/* DecodeFuncState is sutic - if last time decoding function hasn't been */ 
/• finished, this variable maintain the last state. •/ 
/* Notice: single channel cannot use two decoding function processing •/ 
/•in parallel! •/ 

,«»*«»»«.*««»,•♦••«•«»•••*««««•**»«««••«»»»»« ♦ ♦•*.«.../ 

//Debug check: 

if ( pFidd->pDecode->pDecodef unc — NULL ) 
< 

DEBUG_ERR("No decoding function I"); 
return ( ANLZ ERR UNEXPECTED); 

RcvSize - DataSize - Datalndex; // Obtain remain bytes 

DecodeFuncState ° pFie!d->pDecode^De©odeFunc( 
DccodcFuncSlatc, 
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&pDatA(Dttaiodex], 
ARcvSize, 

pFicld->DeeodedBuf, 
& DecodeFunclndex, 
pField->MaxDecoiedBulSize t 
pFidd->pDec©deo>StatfcStor*ge); 



II pDatalndex is ail way* tna 
•pDatalndex - Datalndex + RcvSixe; 

switch ( DecodeFuncState ) 

{ case DEC STATE COMPLETE: 

DccodcFuncState - DEC.STATE.BEGIN; ft ^« 

// father decodingfconvert is performed on ^decoded buffer ittdf. 

DccodeAndCoovertMultField ( pFleld, DecodeFunclndex, P Field->DecodedBuf ), 

'•pMultiples - DecodeFunclndex; 

DecodeFunclndex " 0; 

break; // Ok decoding complete 1 

case DEC STATE.ERR.SYNC: 

DecodeFuncState - DECJTATEJBEGIN; // Prepare for next time. 
DecodeFunclndex - 0; 

return { ANLZ_ERR_DFUNC_OUT.OF_SYNC ); 

case DEC STATE.ERR.FCS: 

DecodeFuncState - DEC_STATE_BEGrN; // Prepare for next lime. 
DecodeFunclndex - 0; 

return ( ANLZ_ERR.DFUNC_rNVALID.FCS ); 

case DEC STATE_ERR.TOO.BIO: 

DecodeFuncState - DEC.STATE_BEOIN; // Prepare for next tune. 
' DecodeFunclndex - 0; 

return ( ANLZ.ERR.DECODE.BUF.TOO.SMALL ); 

default: return ( ANLZ ERR DFUNC.NOT.FIN1SHED ); 

) 

break; 

default : DEBUG ERR ( " DecodeField: Unknown Field' Mult I "); 
return (ANLZ ERR UNEXPECTED); 

) 

return ( 0 ); // Ok, decoding success. 

) 



* NAME: TOuuuielProtocotAtu!yzer:M8tchMuttFleld 
• 

* DESCRIPTION: Match on ali multiples of a field, 
t 

• pFietd - new protocol layer. 

• pin Data • Node's non analyzed data bytes (yet not decoded) . 

* Multiples -Multiples of field. 
• 

• RETURN VALUE: Return TRUE for match or FALSE for no 
• 

• NOTES: This routine does not handles a decoding function 

* Size of In Data always remains the same as OutOita. 



V 



bool _lastcall ILhaimeittr*ocolAnalyzeT::Mrtc^^ DWORD Multiples, tM .SYNC.VALUE 

pSyncVal ) 

\ 

DWORD i; 

BYTt KieldSize, *p0utData; 



It 
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t 

if ( pSync Val->Syrtc 1- SF_ALL )// step m only if need 

FieldSize-pField->Type; 
pOutData - pField->DccodedBuf; 

for ( i - 0; i < Multiples; i++ ) 

// Event if there is only one that doesn't match ^> return FALSE: 
if ( iMatchSingleField ( pField, pSyncVal, pOutData ) ) 

retum( FALSE ); 
pOutData +■ FieldSize; 

) 

) 

rerun*: TRUE ); // Ok all bytes matches 

J 

* 

• NAME: TCKannelProtocol Analyzer :MatchBits 

• DESCRIPTION: Match bits partition node. 
♦ 

• pField • new protocol layer. 

• t pBKs - Node* Specific bits info. 

• Multiples - Multiples of field, 

• RETURN VALUE: Return TRUE for match or FALSE lor no match. 

• NOtliS: This routine is applied only if pBitt I- NULL 

•♦•♦«♦••••♦•••••«••••♦•♦••••••••••/ 

boo! _fastodl TCharnielPfotc^olAitalyzer::M«chBrtt ( PT JPROTO_FIELD pField. PTJitTS pBits, PT_SYNC_VALUB 

pSyncVal ) 

I 

BYTE •pOutData, *plnData, ShiftR, ShiftL; 
DWORD Triple; 

if ( pBits->pFirst « NULL ) 

plnData - pField»>DecodedBuI; // lust partition: 
else 

pmDota - pBits->pFim->pField->Decode4Buf; // not the fust partition: 
pOutData = pBits->DecodedBits; 

/ • • •••♦••/ 

/• prepare DccodedBits bufTer so that it will contain specified bits •/ 
/• boundries: V 

r v 

r Ex: prepare bits index 5 to 9: •/ 

r , •/ 

/•bits... 0,1,2^,4, W.t.9,10,1 1,12,13.... V 

/• •/ 

/•InData: X.WX.l.l.l.O.UXX.X.'... V 

/♦OutData: 1,1,1,0,1,0.0.0,0,0,0,0,0,0.... •/ 

/• •/ 

/• operation: I .shift left till end. V 

/• 2.shirt back right till start. •/ 

//ShiftR - 7 - ToBiUndex; 

//ShiftL » 7 - ( ToBrtlndex - FromBttlndex ); 

switch (pFiefd-> I ypc ) 
{ 

caseTF BYTE: 
ShiftL • (BYTEX7 - pBits.>ToBit1ndex); 
ShiftR « (BYTEX7 - ( pBits->ToBitfndex • pBil9->FromBrUndcx ))\ 



IT- 
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•(BYTE •ipOutDaf - (BYTEX (B YTEX C<BYTE •fclnDat.) « ShiftL ) » ShiftR ) ; 
break; 

caseTF WORD. M % • 

chi a r » in YTEV 1 5 - oBits->ToBttlndex); 

^RD^D-tB - (WORDX (WORDX C(WORD *)plnDaU) « Sh.ftL ) » SmftR ) . 
break; 

^riple^^aUoi ♦ (plnDatall|«S) + ( P lnDatal2|«l6); 
ShiftL - <BYTE)(2J - P Bits->ToBMndex); 

ShiftR - (BYTEX23 - < P Bits->ToBitlndex - pBit3^FromBiflnd« )). 

Triple - ( Triple « ShiftL ) A OxflfHT; 

Triple - ( Triple » ShiftR ); 

pOutDatat21 - (BYTEX(Tnple»I6) A Oxfl); // most 

pOtitDaial 1 1 - (B YTEX(Triple>>8) & Oxll); ^ddlc 

pOutData|0| - (BYTEX(Triple) A OxfT); // least 

break; 
case TF DWORD: 

ShiftL - KBY\M){2 1 - pBits.>ToBalndex); 

break; 
case TF_LARGE: 
ShiftL -(BYTEX63-pBiUi->ToBit!odex); 

ShiftR - (B YTEX6 J - ( P BtU->ToBitIndex - pBiU^FromBittadex J). , 
•(UINT64 'JpOutData « (UINT64X (UlNTMX C(UINT64 *)plnData) « ShtftL ) » ShiftR ) , 
break; 

default : DEBUG_ERR ( - MatchBita: Unknown Type ! *); return < FALSE ); 

I 

return ( MatehSingler ield ( pField, pSyncVal, pOotDaia ) ); 



• NAME: TChannelftotccolAnaiyzeT::MatehSingleFiekl 

• DESCRIPTION: Match for s single specific field. 
• 

• pField - pointer to field. 

• pSync V si - pointer to synchronization record. 

• pOutData - pointer to next position of converted and 

• decoded buffer. 
• 

• RETURN VALUE: Return TRUE for match or FALSE for no match. 

• ' 

• NOTES: This routine does not handles a decoding function 

• S ize of InData always remains the same as Out Data. 

• Calling function must ensure trier's enough decoded 

• buffer space. 



bool _!astcal! TChaimelfttrtocolAiudyxer::MatchSing!eField ( PT.PROTOJ-IELD pField, PTSYNCVALUE pSyncVal, BYTE 
*pOutDaU ) 

* PT SWITCH VALUE pSV; // pointer to Switch Value structure 
DWORD Triple; 

/ • •*«••••••••••••«•/ 

/■ Process: •/ 

/• V 

f try to match according to synchronization info. •/ 

••••••••••••••••••• •••♦•••••••••../ 

switch ( pField->Type ) 
{ 

case I K J YTB: switch I pSyncVal.>Sync ) 
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no match 
match 



{ 

casc$F_ALL : return ( TRUE ); 

case SF_nXED : if ( '(BYTE *)pOutData — '(BYTE *)pSyncVal->Fixed ) 
return ( TRUE ); 
return ( FALSE ); // 00 match 
case SFJtANGK : if( ( •(BYTE ')pOutData >- *(BYTK *)pSyncVal->LLimit ) &A 
( •(BYTE *)pOutDst8<» "(BYTE »)pSyncVaJ->HUmh ) ) 
return ( TRUE ); 
return ( FALSE ); // no match 
case SF_MASK : if ( *(BYTE *)pOutData & '(BYTE ')pSyncVal->Mask ) 
return ( TRUE ); 
return ( FALSE ); // no match 
caseSF SWITCH : pSV - P SyncVal->pFirst; 
while (pSV I- NULL) 
< 

if ( '(BYTE *)pOutData — *(BYTE ')pSV->Fixed ) 

return ( TRUE ); 
pSV-pSV->pNext; 

» 

return ( FALSE ); // no match 
case SF JFCS : DEBUG_ERR ( ■ MetchStngleFteld (TF_BYTB): SF_FCS not handled I*); return (FALSE); // 

default ; DEBUG.ERR ( " MatchSingteField (TFJJYTE): Unknown Sync value I"); return (FALSE); // no 

1 



case TF_WORD: switch ( pSyncVat->Sync ) 
I 

case SF_ALL : return ( TRUE ); 

case SF_FIXED : ii ( '(WORD »)pOutData — ♦(WORD •)pSyncVal->Fixed ) 
return (TRUE); 
return ( FALSE ); // no match 
case SF_RANGE : if(( # (WORD *)pOulData>- *(WORD •)pSyncVa|.>LLimit)&& 
( '(WORD ')pOutDeta <- '(WORD •)pSyiMJValo > H Limit ) ) 
return (TRUE); 
return ( FALSE ); // no match 
case SF_MASK : if ( '(WORD 'JpOutDaU ft '(WORD *)pSyncVal->Mask ) 
return (TRUE); 
return ( FALSE ); // no match 
case SF_SWTTCH : pSV - r)SyncVal->pFirst; 
while (pSV !-NULL) 
( 

if ( '(WORb ')pOutDate — •(WORD ')pSV->Fixed ) 

return ( TRUE ); 
pSV-pSV->pNexi; 

) 

return ( FALS'E ); // no match 
no match eiBBSF - ra : DEB UOJ^("Ma^^ 

match defWU : DEBU0 - ERR < " MatchSingleField (TF.WORD): Unknown Sync value I"); return (FALSE); // no 

) 

case TFJTRJPLE: Triple - pOutData(O) + (pOutDaiatl ]««) +(pOutDatal2|«l6V 
// Notice thai 41h byte of each pSyncVaf field must be 
ft initialized with zero else DWORD conversion is invalid, 
switch ( pSyncVal->Sync ) 

case SF_ALL : return ( TRUE ); 

caseSF_F1XED : if ( Triple — '(DWORD ')pSyncVal-*Fixea ) 
return (TRUE); 
return ( FALSE ); // no match 
case SFJIANGE : if( ( Triple >- '(DWORD •) P SyncVa].>LUmit )&* 
( Tnple <- '(DWORD 'JpSyncVal^HLtmrt ) ) 
retum(TRUE); 
return ( FALSE ); // no match A , 
case SF^MASK : if ( Triple ft '(DWOlfo ')pSyneVal->M ask ) 
» return (TRUE); 

* rctum ( FALSE ); // no match 
caseSFjWUCH : pSV -p$yncVel->prim; 
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while (pSV I- NULL) 
\ 

if ( Triple — • (DWORD »)pSV.>Fix€d ) 

return (TRUE); 
pSV-pSV^pNod; 

} 

return ( FALSE ); // do match 
case SF _FC$ : DEBUG_ERR ( ■ MatchSingleField (TF JTRIPLE): SF_FCS not handled !"); return (FALSE); // 

no match 

• default : DEBUOJiRR ( ■ MatchSingleField (TF_TRIPLE): Unknown Sync value I"); return (FALSE); // no 
) 

case TF_DWORD. switeh ( pSyneVal->Sync ) 
caseSF ALL : return ( TRUE ); 

case $F J*IXED : if( ♦( DWORD «)pOutDtts — "(DWORD *)pSyocVa|.>Fixed ) 
return ( TRUE ); 
return ( FALSE ); // no match 
case SF_RANGE : If ( ( ♦(DWORD ♦)pOutData >- *(DWORD »)pSyncVal->LUmtt ) AA 
( •(DWORD •jpOutDala <- *(DWORD •feSyncVaf->H Limit ) ) 
return ( TRUE ); 
return ( FALSE ); // no match 
case SF_MASK : if ( "(DWORD *)pOuiData & "(DWORD *)pSyncVal->Mask ) 
return ( TRUE ); 
return ( FALSE ); //no match 
easeSF_SW!TCH : p$V » pSyncVal->pFtrst; 
while (pSV I- NULL ) 
i 

»r( •(DWORD -)pUutDaU — "(DWORD •)pSV.>Fixed ) 

return ( TRUE ); 
pSV -pSV->pNcxt; 

return ( tr ALSK ); // no match 
case SF_FCS : DEBUG_ERR ( " MatchSingleField <TFJ>WORD): SF FCS not handled P); return (FALSE); 

//no match 

default : DEBUG_ERR ( ■ MatchSingleField (TF_DWORD): Unknown Sync valne I"); return (FALSE); // 

no match 

) 

case TF_L/JRGE: switch ( pSyncValo* Sync ) 
caseSFJVLL : return ( TRlJJE ); 

case SF_FIX£D : if ( ♦(UINT64 «)pOutDeta — *<U!NT64 «)pSyncVal->Fixed ) 
return (TRUE); 
return ( FALSE ); // no match 
case SF_RANOE : lf< ( "(UINT64 •)pOutData >- •(UINT64 ')pSyncVai->LLimit ) && 
( »(UINT64 *)pOutData <- •(U1NT64 »)pSyncVal^HLimit ) ) 
return ( TRUE ); 
return ( FALSE ); // no match 
case STOMAS K : if ( •(UINIM *>)pOutDeta & •(UlN'l M •)p$yncVal->Mask ) 
return (TRUE); 
return ( FALSE ); // no match 
case SF^S WITCH : pSV - pSyncVal->pFtrst: 
while (pSV !- NULL) 

if ( •(UTNT64 ♦JpOutData — ♦(UINT64 •)pSV.>Fwed ) 

return (TRUE); 
pSV-pSV^pNext; 

) 

return ( FALSE ); // no match 

nonAtch cascSh - KCS OEBUU_ERR( * MatcfjSmgfeFteM (TF_LARGE): SF_FCS not handled !"); return (FALSE); // 

match <fcftUU : UEtiUO - tRK < * MatchSingleField ( I K.LAKGE): Unknown Syne value f); return (KALSt*); // no 

I 



I 



default : DEBUO_ERR ( - MatchSingleField: Unknown Type I •* return < FALSE ); 
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* NAME: TChmmelProtoeolAnJyier.-.DteodeAndConvertMultFidd 

* 

* DESCRIPTION: Decode and convert all multiples of Odd. 

* Also verifys that DecodedBuf is big enough to 

* contain decoded data. 
• 

* pField - field to convert. 

* Multiples - Multiples of field. 

* plnData - Node's mm analyzed data bytes (yet not decoded) . 
* 

* RETURN VALUE: TRUE for ok, or FALSE Tor field's DecodedBuf too small 
» 

* NOTES: This routine does not handles a decoding function 

* Size of Inpats always remains the same as Out Data 



bool _fastca!l TCharme IProtocoi Analyzer:: Decode AndConvertMultField ( PT PROTO FIELD pField, DWORD Multiples, BYTE 

"plnData) r 

< 

DWORD i; 
BYTE FieldSize; 
BYTE 'pOutData; 

FieldSize ■ pField->Type; 
pOutpata « pField-> DecodedBuf; 

if ( Multiples • FieldSize > pFteld->MaxDecodedBuGize ) 
retunK FALSE ); 

// Scan all data (according to Multiples): 

for ( i - 0; i < Multiples; i-M- ) 

{ 

DecodeAndConvertSingleFietd ( pField, plnData, pOutData ): 
plnData +- FieldSize; 
pOutData +~ FieldSize; 

} 



retum( TRUE ); 



J NAMt: ^ h ™dr»rrtowlAnaJyzi^^ 

J WaCKIFIlUN: Decode and Convert Single multiples ot • spectftc Held, 
pt icld - tield to convert. 

plnData - Node's oon analyzed data bytes (yet not decoded) 
pOutData . Node s analyzed and decoded data bytes. 

* RETURN VALUE: None. 
« 

* NOTES: This routine does not handles a decoding function 

* Size of InData always remains the same as OuCData. 
Calling function must ensure tiler's enough decoded 
buffer space. 

t 

' » v 

/♦Vrocws: ' 
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V 

/* I. Cop> to out bulTer according to bits' order: V 
/• 2. Perform internal decoding operation (if BYTE). V 

/## " 

switch ( pFiefd>>Type ) 

( 

case TF_BYTE: pOutData(O) - plnData[OJ; 

switch ( pFidd->Convert ) // Special conveniens for BYTE Type: 
case CON J40_CONVERT: break; 

case CON j\DD : pOutDaUlO] +- pFietd.>ConverlVal; break; 
caseCON_SUB : pOutData(0J - pField->ConvertVal; break; 
caseCUN_NOT_LOGlC : pOulDatalOJ -(BYTEHpOutDstalOJ); break; 
caseCON_OR_LOGIC : pOutDatafO] h pFie1d->ConvettVal; break; 
easeCON_ANU_LUOlC : pOutUata(0| &- (Jhdd->ConvcrtVal; break; 
caseCONJCORJLOGIC : pOutData[0J ^pFieW-fConvertVal; break; 

use CON JMND LOGIC : pOutDatalOJ - (BY! t*X~(pUutDataW& prield->X;onvertVal)); break; 
^ default : DEBUO_EWU"Decc^nd^ 

break; 

caseTF_WOkD: If ( pField->BitDir — BD MSB FIRST) 
* { //Motorola like (Big indian) •-> swap 
pOutDatalOJ'plnDatallJ; 
^ pOutData[l)«pInData(0J; 

else 

•(WORD 'JpOutData - •(WORD ')plnDiU; 
//switch ( pField-M:onvert ) // Special converttons for WORD t ype: 



// case CON_NO CON VfcRT: break; 

// e>W £S2-£J3!P : *< W0 ^*>POutDaia4-VWORD*)pFieW^ 
< ~S23-S UB ; < W0 ^*>P<>^^nWOWJ»)pFidd->Coirvm 
case CON.NOT LOGIC : *(WORD •JpOutDaffOJ - -.'(WORD *)pOutData; bra* 
cTJ oK-& •jpOutl^ ^ i (W0 ^ ^Fietd^^TbnMk; 

W >Con^ ^ORD%Data.4nWORO^^ 



// default: 

// 

ff) 

break; 



DEBUG_ERR ( - CfccodeAndConvertSingleField: Unknown Convert type T); break; 



caselF.rRlPLK:ir(phictd.>HitUtr«BO MSB FIRST I 
{ // Motorola like (Big indian)- " 

' POutOatalUj-pinUatafil; 

pOutDatalll-plnData|l); 
^ pO«tData(21-ptnDatalOJ; 

else 
I 

pOutDatafOJ-ptnDalalOJ; 
pOutData|lJ- p inDaU|I|; 
pO«0«s!2|-plnData(2); 



case TF _DW0RD: if( pFicld^BUDir - BD MSB FIRST) 
I // Motorola like {Big indian) -> swap **" 

pOutData(0j - pInData[3J; 

pOutDatal 1 1 - plnDatal2|; 

pOutData(2J-plnData(U; 
^ pOutDatsOI-plnUataiui; 

else 
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♦((DWORD «)pOutData) - '((DWORD *)plnD8ta); 
break; 

case TFJ-AROE: if ( pField->BitDir — BDJrfSBJTRST ) 
" { ft Motorola like (Big indian) swap * 
pOutDaia(O) - plnDatalT); 
pOuiDotaj I ) - pbtDatal6]; 
pOutData[2| - pin Data j 5]; 
pOulDaupi " plnData[4j; 
pOutDatat4| « plnDatat3); 
pOtitDatajsi - plnData[2]; 
pOutDatal6) * ptnData(l j; 
pOulDatal7) - plnDatalO); 

} 

else 

•((UINT64 *)pOutData)- *((UfNT64 *)plnDaU); 
break; 

default : DEBUG_ERR ( " DecodeAitdConveftSlngleField: Unknown Type I 

) 

) 



* NAME: TChannelProtoeolAnalyier:CheckNodeCondiUons 

* DESCRIPTION Checks all conditions in a given node. 

* RETURN VALUE: None. 
* 

* NOTES : Called upon analysts synchronized on pNode. 

♦...♦♦♦♦•.♦♦♦••♦♦•♦.••♦♦♦.••••.••.♦♦•**♦•♦•♦♦*♦•*•*♦♦♦••••♦•♦♦••*•♦•*•••••/ 

void _fasteall TCharmelProtcKol Analyzer ::C^^ PT J»ROTO_NODE pNode, DWORD Multiples ) 

{ register PT_HOOKED_CONDITION$ pHookedCondition - pNoae^FirstHookedCondition; 

// Scan all conditions... 

while ( pHookedCondition 1* NULL ) 

^ P HookcdCorrfiUon->pOnCheckConditionFunc( pNode, pHookedCondition->pConditionNode, Multiples ); 
pHookedCondition - pHookedCondition^pNext; 

) 

I 



* NAME: TChannelProtocolAnaly zer: :CheckProtocolConditions 

• DESCRIPTION: Checks all conditions In a given protocol. 

• RETURN VALUE: None. 
* 

♦ NOTES: Called opoQ analysis synchronized on p Protocol. 

void __tastcall TO)aiinelProtocolAnaryzer::Chec^^ PT PROTO TREE p Protocol ) 

( 

register pr_HOOKfcD_CONUVI IONS pHookedCondition - pFYotocol->pFirstHookedConAnbn; 

// Scan all conditions... 

while ( pHookedCondition I- NULL ) 

\ 

pHookedCondilion->pOnCheckConditionFuric( pProtocol, pHookcdCondftion->pConditi on Node, 0/*Multiplcs are dummy*/); 
pHookedCondition • pHooke4Londttion->pNexti 
i 
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I 



• NAME: TOumnelPTOtocolAnalyier.NodeVriueAf DWORD 

• DESCRIPTION: Retuens node's first decoded value converted to DWORD. 
♦ 

pNodc - protocol node from which to peek decoded value. 

• RETURN VALUE: None. 

• NOTES: None. 

/ 

DWORD _fastcall'^^ 

• BYTE •Buf; 

i! t pNode->pBils ) 
Buf - pNode.>pBits->DecodedBits; 

else 

Bui « pNode->pFteld->DecodedBuf, 
switch ( pNode->p>*ierd-> I ype ) 

1 caseTF BYTE: return ( (DWORDX # UBYTE ')Bu»)) )\ 
case TF WORD: return ( (DWORDX'((WORD •jBul)) )i 
case IF" I RIFLE: return ( (OWORD)BufiUl ♦ 

(((DWORD)Bufll 1>«8) + 

(UDWORD)Buit2|)«16)>; 
caseTF DWORD: return ( '((DWORD «)Buf) ); ^ k 
case TF'LAROE. return ( (DWORDXMUWTW *)Buf)) 

£ftult DEBUO.ERR ( - NodeValueAsDWORD: Unknown Type I "); return (0), 

) 

I 



// — — 

flpragroa package(sTnart_mit) 
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